Support for multiple controllers in Boundary Desktop

[reza-solaris]

Hello,
Currently, if there are multiple Boundary installations, the user must sign out from one instance and connect to the other. The user must also type in the URL of each installation at every login.

It would be very beneficial if the Boundary Desktop client would allow multiple active instance connections. Something like having multiple instances of Boundary Desktop client open at the same time. To overcome this, we are currently using open -n -a Boundary.app to authenticate to multiple controllers at the same time. But it is not a convenient solution.

Something like this:

[xingluw]

Hi @reza-solaris, thank you for this feature request, this is something we have considered adding to the product, I will leave this post open to gauge community interest.

[somurzakov]

All companies will have multiple controllers (each for dev/test/staging/prod at least) and this feature is needed for any developer to be able to seamlessly roam across different environments

[xingluw]

@somurzakov @reza-solaris Boundary supports multiple scopes (Orgs and Projects) which allows teams to have several different environments to manage targets and users, as well as flexibility in auth methods. I am wondering if that solves the issue, or why there is a need to run multiple control planes (which would require multiple accounts)?

[reza-solaris]

Although it is possible to have all the targets from different environments in one controller, it would mean having a network connectivity from a single controller to other network segments (controller-worker connectivity). Thus, that would break the network segregation.

[xingluw]

Is there a concern with the control plane being able to reach all workers/networks if there are role-based permissions that prevent users from reaching those networks?

Or is it a requirement that certain networks can only be accessed by certain controllers? Completely air-gapping the environments.

Edit: Is the purpose of this to test out Boundary functionality and configurations? Or to separate production-level, widely-accessed infrastructure?

[reza-solaris]

Yes. Correct. The purpose of this functionality is to have production network complete segregation.

[muthukumars]

boundary authenticate to a controller1-url from command line
boundary authenticate to a controller2-url from command line.
one can access targets in controller1 as well as controller2 because both tokens are available and stored.
the same is not in Boundary desktop as per this posting.

Use cases could be possible

1. i do not want to allow the users to access targets in controller1 when I am authenticated on controler2 and vice-versa (both in CLI and desktop) - looks like desktop works that way. how do we do in CLI
2. it is also possible use case, both CLI and boundary desktop may expect to deal with targets on both

Please suggest